[DEFAULT]
plugin_id=7007

[config]
type=detector
enable=yes

source=log
location=<%= @osseclog %>
#location=/var/ossec/logs/alerts/alerts.log

# create log file if it does not exists,
# otherwise stop processing this plugin
create_file=false

process=ossec-logcollector
start=no   ; launch plugin process when agent starts
stop=no     ; shutdown plugin process when agent stops
restart=no  ; restart plugin process after each interval
restart_interval=_CFG(watchdog,restart_interval) ; interval between each restart
startup=/etc/init.d/ossec-hids start
shutdown=/etc/init.d/ossec-hids stop

# Windows audit failure event too noisy - 18105
# Windows Logon Success event too noisy - 18107
# Multiple Windows audit failure events too noisy - 18153
#exclude_sids=18105,18107
exclude_sids=1002

# ossec v2.5.1
[translation]
01=7001
02=7002
03=7003
04=7004
05=7005
06=7006
07=7007
500=7007
501=7007
502=7007
503=7007
504=7007
509=7093
510=7093
511=7093
512=7093
513=7093
514=7093
515=7094
516=7093
518=7093
530=7104
531=7018
532=7007
550=7094
551=7094
552=7094
553=7094
554=7094
555=7102
580=7095
581=7095
591=7007
592=7090
593=7087
1001=7017
1002=7017
1003=7017
1004=7017
1005=7017
1006=7017
1007=7018
1008=7027
2100=7019
2101=7019
2102=7019
2103=7019
2104=7019
2301=7020
2501=7010
2502=7010
2503=7022
2504=7011
2505=7021
2506=7021
2550=7021
2551=7050
2701=7023
2800=7024
2801=7024
2802=7024
2803=7024
2830=7029
2831=7029
2832=7029
2833=7029
2834=7029
2900=7116
2901=7116
2902=7042
2903=7042
2930=7112
2931=7112
2932=7042
2933=7042
2934=7042
3100=7076
3101=7076
3102=7074
3103=7074
3104=7074
3105=7074
3106=7074
3107=7076
3108=7074
3109=7044
3151=7075
3152=7075
3153=7075
3154=7075
3155=7075
3156=7075
3158=7075
3190=7077
3191=7074
3300=7073
3301=7074
3302=7074
3303=7074
3304=7074
3305=7074
3306=7074
3320=7073
3330=7027
3331=7027
3332=7010
3333=7027
3334=7073
3351=7075
3352=7075
3353=7075
3354=7075
3355=7075
3356=7075
3357=7012
3390=7073
3500=7084
3501=7084
3502=7084
3600=7078
3601=7010
3602=7009
3603=7078
3651=7012
3700=7079
3701=7079
3702=7074
3751=7075
3800=7081
3801=7074
3802=7074
3851=7075
3852=7075
3900=7056
3901=7050
3902=7010
3903=7056
3904=7009
3910=7012
3911=7014
4100=7002
4101=7068
4151=7069
4300=7041
4310=7041
4311=7041
4312=7041
4313=7041
4314=7041
4315=7041
4321=7010
4322=7041
4323=7009
4324=7010
4325=7041
4326=7022
4327=7041
4330=7041
4331=7041
4332=7041
4333=7003
4334=7010
4335=7009
4336=7010
4337=7027
4338=7027
4339=7042
4340=7042
4341=7041
4342=7043
4380=7041
4381=7041
4382=7044
4383=7041
4385=7041
4386=7012
4500=7071
4501=7071
4502=7071
4503=7071
4504=7071
4505=7027
4506=7009
4507=7009
4508=7042
4509=7042
4513=7071
4550=7071
4551=7071
4552=7071
4553=7071
4700=7070
4710=7070
4711=7070
4712=7070
4713=7070
4714=7070
4715=7070
4716=7070
4717=7070
4721=7042
4722=7009
4724=7010
4800=7072
4801=7072
4802=7072
4803=7072
4804=7072
4805=7072
4806=7072
4807=7072
4810=7009
4811=7010
4850=7027
4851=7027
5100=7025
5101=7025
5102=7025
5103=7025
5104=7026
5105=7025
5106=7025
5107=7025
5108=7027
5109=7025
5110=7025
5111=7025
5112=7025
5113=7028
5130=7025
5131=7025
5200=7025
5300=7030
5301=7010
5302=7010
5303=7009
5304=7009
5305=7030
5400=7033
5401=7033
5402=7033
5403=7033
5500=7001
5501=7009
5502=7001
5503=7010
5504=7011
5521=7001
5522=7001
5551=7012
5600=7016
5601=7016
5602=7016
5603=7016
5604=7016
5631=7016
5700=7013
5701=7013
5702=7013
5703=7013
5704=7013
5705=7013
5706=7014
5707=7015
5709=7013
5710=7010
5711=7013
5712=7012
5713=7013
5714=7015
5715=7009
5716=7010
5717=7013
5718=7011
5719=7013
5720=7012
5901=7032
5902=7032
5903=7032
5904=7032
6100=7119
6101=7119
6102=7119
6103=7009
6104=7010
6105=7009
6106=7010
6200=7121
6201=7121
6202=7121
6203=7121
6210=7010
6211=7011
6212=7011
6250=7121
6251=7121
6252=7121
6300=7109
6301=7103
6302=7027
6303=7044
6304=7124
6305=7124
6306=7124
6307=7124
6308=7124
6309=7124
6310=7124
6311=7124
6312=7124
6313=7124
6314=7124
6315=7124
6316=7106
6317=7106
6318=7123
6319=7123
6320=7123
6321=7122
6322=7123
6323=7124
6350=7109
6351=7110
6352=7110
6354=7110
6355=7110
6356=7110
6357=7110
6358=7110
6359=7110
6360=7110
6361=7103
6362=7027
6363=7027
6364=7044
6365=7110
6366=7110
6367=7110
6368=7110
6369=7110
6370=7110
6371=7110
6372=7110
6373=7110
6374=7110
6376=7110
7101=7031
7200=7036
7201=7037
7202=7038
7203=7027
7204=7038
7205=7036
7206=7036
7300=7039
7301=7039
7310=7040
7320=7039
7400=7039
7410=7010
7415=7009
7420=7009
7500=7111
7501=7111
7502=7111
7503=7111
7504=7040
7505=7040
7506=7040
7507=7111
7508=7111
7509=7111
7510=7111
7511=7111
07512=7111
7513=7111
7514=7111
7550=7111
7600=7105
7610=7040
7611=7040
7612=7105
7613=7105
7701=7114
7710=7040
7711=7040
7712=7040
7720=7086
7731=7114
7750=7114
7751=7114
9100=7034
9101=7034
9102=7034
9200=7005
9201=7005
9300=7054
9301=7054
9302=7054
9303=7054
9304=7027
9305=7009
9306=7010
9351=7012
9352=7027
9400=7117
9401=7010
9402=7009
9500=7113
9501=7010
9502=7009
9503=7113
9504=7113
9505=7113
9510=7113
9551=7012
9600=7101
9610=7010
9611=7027
9700=7100
9701=7009
9702=7010
9703=7100
9704=7100
9705=7010
9706=7100
9707=7011
9750=7012
9751=7012
9800=7118
9801=7010
9820=7012
9900=7055
9901=7010
9902=7011
9903=7010
9904=7009
9951=7012
9952=7012
9953=7012
10100=7009
11100=7098
11101=7022
11102=7098
11103=7098
11104=7098
11105=7098
11106=7050
11107=7022
11108=7047
11109=7012
11110=7098
11111=7010
11112=7010
11113=7010
11200=7052
11201=7050
11202=7052
11203=7011
11204=7010
11205=7009
11206=7022
11207=7022
11208=7052
11209=7052
11210=7012
11211=7052
11212=7052
11213=7050
11214=7052
11215=7052
11216=7052
11217=7052
11218=7027
11219=7052
11220=7052
11221=7052
11251=7012
11252=7014
11253=7052
11300=7051
11301=7050
11302=7010
11303=7051
11304=7051
11305=7051
11306=7012
11307=7014
11309=7009
11400=7049
11401=7050
11402=7009
11403=7010
11404=7049
11451=7012
11452=7014
11500=7053
11501=7050
11502=7010
11503=7009
11504=7053
11510=7012
11511=7014
11512=7053
12100=7045
12101=7046
12102=7022
12103=7047
12104=7044
12105=7045
12106=7045
12107=7045
12108=7045
12109=7027
12110=7044
12111=7044
12112=7045
13100=7048
13101=7048
13102=7022
13103=7048
13104=7022
13105=7048
14100=7082
14101=7010
14110=7082
14111=7082
14112=7082
14120=7009
14121=7082
14122=7082
14123=7082
14151=7082
14200=7083
14201=7009
14202=7010
14203=7009
14251=7012
17101=7115
17102=7108
18100=7006
18101=7006
18102=7006
18103=7044
18104=7006
18105=7006
18106=7085
18107=7009
18108=7006
18109=7006
18110=7043
18111=7043
18112=7043
18113=7086
18114=7107
18115=7043
18116=7012
18117=7028
18118=7087
18119=7009
18120=7006
18121=7006
18125=7010
18126=7009
18127=7043
18128=7043
18129=7018
18130=7085
18131=7088
18132=7088
18133=7088
18134=7088
18135=7085
18136=7085
18137=7085
18138=7085
18139=7085
18140=7089
18141=7028
18142=7043
18143=7043
18144=7043
18145=7086
18146=7006
18147=7006
18148=7006
18149=7006
18151=7006
18152=7012
18153=7006
18154=7006
18155=7006
18156=7012
18170=7090
18171=7090
18172=7090
18180=7085
18181=7009
18200=7099
18201=7125
18202=7099
18203=7107
18204=7107
18205=7125
18206=7099
18207=7107
18208=7107
18209=7125
18210=7107
18211=7107
18212=7099
18213=7107
18214=7107
18215=7107
18216=7125
18217=7107
18218=7107
18219=7107
18220=7107
18221=7107
18222=7107
18223=7107
18224=7006
18225=7107
18226=7107
18227=7107
18228=7107
18229=7107
18230=7107
18231=7107
18232=7107
18233=7107
18234=7107
18235=7107
18236=7107
18237=7107
18238=7107
18239=7107
18240=7107
18241=7107
18242=7107
18243=7107
18244=7107
18245=7107
18246=7107
18247=7107
18248=7107
18249=7107
18250=7107
18251=7107
18252=7107
18253=7107
18254=7107
18255=7107
18256=7107
18560=7097
19100=7120
19101=7120
19102=7120
19103=7120
19104=7120
19105=7120
19106=7120
19107=7120
19110=7009
19111=7010
19112=7009
19113=7010
19120=7027
19121=7120
19122=7120
19123=7042
19150=7027
19151=7027
19152=7012
19153=7012
20100=7035
20101=7003
20102=7003
20103=7003
20151=7003
20152=7003
20161=7003
20162=7003
30100=7062
30101=7062
30102=7062
30103=7062
30104=7027
30105=7022
30106=7022
30107=7063
30108=7010
30109=7011
30110=7010
30112=7064
30115=7065
30116=7065
30117=7065
30118=7022
30119=7022
30120=7027
30200=7062
30201=7022
30202=7022
31100=7058
31101=7058
31102=7058
31103=7060
31104=7059
31105=7059
31106=7059
31107=7058
31108=7058
31115=7046
31120=7058
31121=7058
31122=7044
31123=7058
31140=7058
31151=7014
31152=7060
31153=7059
31154=7059
31161=7014
31162=7044
31163=7014
31200=7092
31201=7092
31202=7092
31203=7092
31204=7092
31205=7010
31206=7092
31251=7092
31300=7062
31301=7062
31302=7062
31303=7062
31310=7062
31311=7062
31312=7062
31315=7010
31316=7012
31320=7065
31401=7062
31402=7062
31403=7062
31404=7062
31405=7062
31406=7062
31410=7062
31411=7059
31412=7062
31420=7062
31421=7062
31430=7062
35000=7005
35002=7005
35003=7005
35004=7005
35005=7005
35006=7005
35007=7005
35008=7005
35009=7005
35010=7005
35021=7063
35022=7063
35023=7005
35051=7005
35052=7005
35053=7005
35054=7005
35055=7005
35056=7005
35057=7005
35058=7005
35095=7005
40101=7011
40102=7015
40103=7015
40104=7015
40105=7015
40106=7015
40107=7015
40109=7015
40111=7012
40112=7090
40113=7040
40501=7091
40601=7014
50100=7066
50105=7009
50106=7010
50107=7066
50108=7066
50120=7027
50121=7027
50125=7066
50126=7027
50180=7027
50500=7067
50501=7067
50502=7067
50503=7067
50504=7067
50505=7067
50510=7067
50511=7009
50512=7010
50520=7027
50521=7027
50580=7027
50581=7027
100001=7001
140125=7097
1=7999
2=7999
3=7999
4=7999
5=7999
6=7999
7=7999
8=7999
9=7999
10=7999
11=7999
12=7999
13=7999
14=7999
15=7999
16=7999
17=7999
18=7999
19=7999
20=7999
21=7999
22=7999
23=7999
24=7999
25=7999
26=7999
27=7999
28=7999
29=7999
30=7999
31=7999
32=7999
33=7999
34=7999
35=7999
36=7999
37=7999
38=7999
39=7999
40=7999
41=7999
42=7999
43=7999
44=7999
45=7999
46=7999
47=7999
48=7999
49=7999
50=7999
51=7999
52=7999
53=7999
54=7999
55=7999
56=7999
57=7999
58=7999
59=7999
60=7999
61=7999
62=7999
63=7999
64=7999
65=7999
66=7999
67=7999
68=7999
69=7999
70=7999
71=7999
72=7999
73=7999
74=7999
75=7999
76=7999
77=7999
78=7999
79=7999
80=7999
81=7999
82=7999
83=7999
84=7999
85=7999
86=7999
87=7999
88=7999
89=7999
90=7999
91=7999
92=7999
93=7999
94=7999
95=7999
96=7999
97=7999
98=7999
99=7999


[OSSEC - Apache - Authentication failed]
#** Alert 1314685162.9787143: - apache,authentication_failed,
#2011 Aug 30 08:19:22 sensor->/var/log/apache2/error.log
#Rule: 30110 (level 5) -> 'User authentication failed.'
#Src IP: 127.0.0.1
#User: (none)
#[Tue Aug 30 08:19:21 2011] [error] [client 127.0.0.1] user \b\xaa?\x01: authentication failure for "/test/": Password Mismatch
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n\[(?P<date_event>\w+\s+\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)\].*client\s+(?P<sip_event>.*)\]\s+user\s+(?P<user_event>.*):\s(?P<msg_alert>.*)\sfor\s+\"(?P<path>.*)\":.*\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip_event)}
dst_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg}
userdata2="http://{resolv($agent_ip)}{$path}"
userdata9={$agent_name}

[OSSEC - PAM-UNIX - Authentication]
#** Alert 1314689504.10082038: - pam,syslog,authentication_failed,
#2011 Aug 30 09:31:44 sensor->/var/log/auth.log
#Rule: 5503 (level 5) -> 'User login failed.'
#Src IP: 172.16.92.10
#User: test
#Aug 30 09:31:44 test sshd[1412]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.92.10  user=test

#** Alert 1314708539.10918347: - syslog, su,authentication_failed,
#2011 Aug 30 14:48:59 sensor->/var/log/auth.log
#Rule: 2501 (level 5) -> 'User authentication failure.'
#Src IP: (none)
#User: (none)
#Aug 30 14:48:58 sensor su[1592]: pam_authenticate: Authentication failure
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\nUser:\s(?P<user>.*)\n(?P<date_event>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<sensor_event>\w+)\s+(?P<service>\w+)\[.*:\s+(pam_unix\(sshd:auth\)|pam_authenticate).*:\s\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
dst_ip={resolv($agent_ip)}
username={$user}
userdata1={$msg}
userdata2={$service}
userdata9={$agent_name}

[OSSEC - SUDO - Command executed]
#** Alert 1315380432.4453388: - syslog,sudo
#2011 Sep 07 09:27:12 sensor01->/var/log/auth.log
#Rule: 5402 (level 3) -> 'Successful sudo to ROOT executed'
#Src IP: (none)
#User: test
#Sep  7 09:27:11 sensor01 sudo:  test: TTY=pts/2 ; PWD=/home/test; USER=root ; COMMAND=/bin/bash
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w+\s+\d+\s+\d+:\d+:\d+) (?P<sip_event>\S+) sudo: (?P<user_event>\S+)\s+:\s+TTY=(?P<tty>\S+)\s;\sPWD=(?P<pwd>\S+)\s;\sUSER=(?P<user_command>\S+)\s;\sCOMMAND=(?P<command>\S+)\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg}
userdata2="sudo"
userdata3="{$command}"
userdata4="{$pwd}"
userdata5="{$tty}"
userdata9={$agent_name}

[OSSEC - SUDO - Successfully logged]
#** Alert 1315864876.4133: mail  - syslog,attacks,invalid_login,
#2011 Sep 13 00:01:16 test->/var/log/auth.log
#Rule: 40101 (level 12) -> 'System user successfully logged to the system.'
#Src IP: (none)
#User: test 
#Sep 13 00:01:15 test su[24637]: + ??? root:daemon
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w{3} \d{1,2} \d{2}:\d{2}:\d{2}) (?P<sip_event>\S+) (?P<service>\w+).*:.*:(?P<user_event>\w+)\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
dst_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg}
userdata2={$service}
userdata9={$agent_name}

[OSSEC - SSHD - Authentication]
#** Alert 1314684692.9769065: - syslog,sshd,authentication_success,
#2011 Aug 30 08:11:32 sensor->/var/log/auth.log
#Rule: 5715 (level 3) -> 'SSHD authentication success.'
#Src IP: 172.16.92.10
#User: test
#Aug 30 08:11:30 sensor sshd[5130]: Accepted password for test from 172.16.92.10 port 1234 ssh2

#** Alert 1314688944.9873902: - syslog,sshd,authentication_failed,
#2011 Aug 30 09:22:24 sensor->/var/log/auth.log
#Rule: 5716 (level 5) -> 'SSHD authentication failed.'
#Src IP: 172.16.92.10
#User: test
#Aug 30 09:22:23 sensor sshd[31965]: Failed password for test from 172.16.92.10 port 1234 ssh2

#** Alert 1314705764.10810361: - syslog,sshd,invalid_login,authentication_failed,
#2011 Aug 30 14:02:44 sensor->/var/log/auth.log
#Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
#Src IP: 172.16.92.10
#User: (none)
#Aug 30 14:02:44 sensor sshd[31410]: Failed none for invalid user test@test.test.com from 172.16.92.10 port 1234 ssh2
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<sensor_event>\w+)\s+(?P<service>\w+)\[.*:\s(?P<msg_alert>.*)\s(for|user)\s(?P<user_event>\w+)(@(?P<hostname>\S+))?.*from\s+(?P<sip_event>.*)\s+(?P<sport>\d+)\s+ssh\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
src_port={$sport}
src_ip={resolv($agent_ip)}
dst_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg}
userdata2={$service}
userdata3={$hostname}
userdata9={$agent_name}

[OSSEC - SSHD - Invalid user]
#** Alert 1314918666.3384907: - syslog,sshd,invalid_login,authentication_failed,
#2011 Sep 02 01:11:06 test->/var/log/auth.log
#Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
#Src IP: 192.168.1.2
#User: (none)
#Sep  2 01:11:05 test sshd[7171]: Invalid user john.doe from 192.168.1.2
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w{3}\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}) (?P<dst_event>\S+) (?P<service>\w+).*: (?P<msg_alert>Invalid user) (?P<user_event>\S+) from (?P<sip_event>.*)\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
dst_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg_alert}
userdata2={$service}
userdata9={$agent_name}

[OSSEC - SSHD - Session]
#** Alert 1314720098.14485984: - pam,syslog,
#2011 Aug 30 18:01:38 sensor->/var/log/auth.log
#Rule: 5502 (level 3) -> 'Login session closed.'
#Src IP: (none)
#User: (none)
#Aug 30 18:01:36 sensor su[25635]: pam_unix(su:session): session closed for user test

#** Alert 1314708018.10889540: - pam,syslog,authentication_success,
#2011 Aug 30 14:40:18 sensor->/var/log/auth.log
#Rule: 5501 (level 3) -> 'Login session opened.'
#Src IP: (none)
#User: (none)
#Aug 30 14:40:17 sensor sshd[30611]: pam_unix(sshd:session): session opened for user test by (uid=0)
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<sensor_event>\w+)\s+(?P<service>\w+)\[.*:\s+pam.*:\s(?P<msg_alert>session.*)\sfor\suser\s+(?P<user_event>\S+)\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
username={$user_event}
userdata1={$msg}
userdata2={$service}
userdata9={$agent_name}

[OSSEC - SSHD - Reverse mapping]
#** Alert 1315930103.4401376: - syslog,sshd,
#2011 Sep 13 18:08:23 test01->/var/log/auth.log
#Rule: 5702 (level 5) -> 'Reverse lookup error (bad ISP or attack).'
#Src IP: 192.162.1.2
#User: (none)
#Sep 13 18:08:22 test01 sshd[4564]: reverse mapping checking getaddrinfo for test.com [192.168.1.2] failed - POSSIBLE BREAK-IN ATTEMPT!
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\w+\s+\d+\s+\d+:\d+:\d+) (?P<sip_event>\S+) sshd.*: (?P<msg_event>.*) for (?P<dst_host>.*) \[(?P<dst_event>.*)\]\n"
date={normalize_date($date_event)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($sip_event)}
dst_ip={resolv($dst_event)}
userdata1={$msg_event}
userdata2="sshd"
userdata3={$dst_host}
userdata9={$agent_name}

[OSSEC - System - Checksum changed]
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\nIntegrity checksum changed for: \'(?P<file>.*)\'\n(?P<size>.*)\n.*\'(?P<md5_old>\w+)\'\n.*\'(?P<md5_new>\w+)\'\n.*\'(?P<sha1_old>\w+)\'\n.*\'(?P<sha1_new>\w+)\'\n"
date={normalize_date($date_header)}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
plugin_sid={$sid}
plugin_id={translate($sid)}
username={$user}
filename={$file}
userdata1={$size}
userdata2="New md5sum: {$md5_new}"
userdata3="Old md5sum: {$md5_old}"
userdata4="New sha1sum: {$sha1_new}"
userdata5="Old sha1sum: {$sha1_old}"
userdata9={$agent_name}

[OSSEC - System - Packages]
#** Alert 1315174094.20744: - syslog,dpkg,
#2011 Sep 05 00:08:14 opensourcesim->/var/log/dpkg.log
#Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.'
#Src IP: (none)
#User: (none)
#2011-09-05 00:08:12 install libaa1 <none> 1.4p5-37+b1

#** Alert 1315174465.34686: mail  - syslog,dpkg,config_changed,
#2011 Sep 05 00:14:25 opensourcesim->/var/log/dpkg.log
#Rule: 2902 (level 7) -> 'New dpkg (Debian Package) installed.'
#Src IP: (none)
#User: (none)
#2011-09-05 00:14:24 status installed libssl-dev 0.9.8o-4

#** Alert 1315174465.34952: mail  - syslog,dpkg,config_changed,
#2011 Sep 05 00:14:25 opensourcesim->/var/log/dpkg.log
#Rule: 2903 (level 7) -> 'Dpkg (Debian Package) removed.'
#Src IP: (none)
#User: (none)
#2011-09-05 00:14:24 remove libssl-dev 0.9.8o-4 0.9.8o-4

event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<date_event>\d{4}-\d{2}-\d{2}\s\d{1,2}:\d{1,2}:\d{1,2})\s(?P<action>install|status installed|remove)\s(?P<pkg>\S+)(\s.*)?\s(?P<version>\S+)\n"
date={normalize_date($date_event)}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
plugin_sid={$sid}
plugin_id={translate($sid)}
username={$user}
userdata1={$action}
userdata2={$pkg}
userdata3={$version}
userdata9={$agent_name}

[OSSEC - Windows Security audit - Failure]
#** Alert 1314658516.3799958: - windows,win_authentication_failed,
#2011 Aug 21 00:55:16 (172.16.92.10_002) 0.0.0.0->WinEvtLog
#Rule: 18106 (level 5) -> 'Windows Logon Failure.'
#Src IP: (none)
#User: (no user)
#WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: TestPC: An account failed to log on. Subject:  Security ID:  S-1-0-0  Account Name:  -  Account Domain:  -  Logon ID:  0x0  Logon Type:   3  Account For Which Logon Failed:  Security ID:  S-1-0-0  Account Name:  Test LLC  Account Domain:  TestLLC  Failure Information:  Failure Reason:  %%2313  Status:   0xc000006d  Sub Status:  0xc0000064  Process Information:  Caller Process ID: 0x0  Caller Process Name: -  Network Information:  Workstation Name: TESTLLC Source Network Address: fe80::2c07:b8c4:ea58:25d7  Source Port:  49585  Detailed Authentication Information:  Logon Process:  NtLmSsp   Authentication Package: NTLM  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\nWinEvtLog:\sSecurity.*AUDIT_FAILURE.*:.*:.*:\s(?P<domain>.*):\s(?P<hostname>.*):\s(?P<msg_alert>.*)\.\s+Subject.*Logon\sID:\s+(?P<logon_id>\S+).*\n"
date={normalize_date($date_header)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
username={$user}
userdata1={$msg}
userdata2={$domain}
userdata3={$hostname}
userdata4={$logon_id}
userdata9={$agent_name}

[OSSEC - Windows Security audit - Logged on/off]
#** Alert 1314719880.12791203: - windows,
#2011 Aug 31 10:58:00 (172.16.92.10_002) 0.0.0.0->WinEvtLog
#Rule: 18149 (level 3) -> 'Windows User Logoff.'
#Src IP: (none)
#User: test
#WinEvtLog: Security: AUDIT_SUCCESS(4634): Microsoft-Windows-Security-Auditing: test: test: test: An account was logged off. Subject:  Security ID:  S-1-5-21-4057735974-3357861449-790453786-1000  Account Name:  test Account Domain:  TestPC  Logon ID:  0x2409067  Logon Type:   7  This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer."  4646,1

#** Alert 1314719880.12788945: - windows,authentication_success,
#2011 Aug 30 17:58:00 (64.71.25.234_002) 0.0.0.0->WinEvtLog
#Rule: 18107 (level 3) -> 'Windows Logon Success.'
#Src IP: (none)
#User: test 
#WinEvtLog: Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: test: test: test: An account was successfully logged on. Subject:  Security ID:  S-1-5-18  Account Name:  Test$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Logon Type:   7  New Logon:  Security ID:  S-1-5-21-4057735974-3357861449-790453786-1000  Account Name:  test Account Domain:  Test Logon ID:  0x2407fe3  Logon GUID:  {00000000-0000-0000-0000-000000000000}  Process Information:  Process ID:  0x320  Process Name:  C:\Windows\System32\winlogon.exe  Network Information:  Workstation Name: TEST Source Network Address: 127.0.0.1  Source Port:  0  Detailed Authentication Information:  Logon Process:  User32   Authentication Package: Negotiate  Transited Services: -  Package Name (NTLM only): -  Key Length:  0  This event is generated when a logon session is created. It is generated on the computer that was accessed. 

event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\nWinEvtLog:\sSecurity.*AUDIT_SUCCESS.*:.*:.*:\s(?P<domain>.*):\s(?P<hostname>.*):\s(?P<msg_alert>.*)\.\s+Subject.*Logon\sID:\s+(?P<logon_id>\S+).*\n"
date={normalize_date($date_header)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
username={$user}
userdata1={$msg}
userdata2={$domain}
userdata3={$hostname}
userdata4={$logon_id}
userdata9={$agent_name}

[OSSEC - Windows Security audit -zzz- Generic Rule]
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\nWinEvtLog:\sSecurity.*AUDIT.*:.*:.*:\s(?P<domain>.*):\s(?P<hostname>.*):\s(?P<msg_alert>.*)\.\s+\n"
date={normalize_date($date_header)}
plugin_id={translate($sid)}
plugin_sid={$sid}
sensor={resolv($agent_ip)}
src_ip={resolv($agent_ip)}
username={$user}
userdata1={$msg}
userdata2={$domain}
userdata3={$hostname}
userdata9={$agent_name}

[OSSEC - Web -zzz- Generic Rule]
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)(\s\((?P<agent_name>\w+)?\))?\s(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n.*\[(?P<date_event>\d+\/\w+\/\d+:\d+:\d+:\d+).*\s\"(?P<http_request>\w+)\s(?P<url>.*)\s(?P<http_protocol>.*)\"\s(?P<http_code>\d{3})\s.*\"(?P<user_agent>.*)\"\n"
date={normalize_date($date_event)}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
dst_ip={resolv($agent_ip)}
plugin_sid={$sid}
plugin_id={translate($sid)}
username={$user}
userdata1={$http_protocol}
userdata2={$http_code}
userdata3={$http_request}
userdata4={$url}
userdata5={$user_agent}
userdata9={$agent_name}

[OSSEC -zzz- Generic Rule]
event_type=event
regexp="Alert.*\n(?P<date_header>\d+\s+\w+\s+\d+\s+\d+:\d+:\d+)\s(\((?P<agent_name>.*)\)\s)?(?P<agent_ip>.*)->.*\nRule:\s+(?P<sid>\d+).*\'(?P<msg>.*)\'\nSrc\sIP:\s(?P<sip>.*)\nUser:\s(?P<user>.*)\n(?P<data>.*)\n"
date={normalize_date($date_header)}
sensor={resolv($agent_ip)}
src_ip={resolv($sip)}
dst_ip={resolv($agent_ip)}
plugin_sid={$sid}
plugin_id={translate($sid)}
username={$user}
userdata1={$msg}
userdata2={$data}
userdata9={$agent_name}
